SentinelOne researchers have identified a new macOS infostealer variant called Reaper, which uses typosquatted domains and fake software updates to compromise user credentials, cryptocurrency wallets, and sensitive documents.

Key Points

• The Reaper malware spreads through malicious domains spoofing popular applications like WeChat and Miro.
• Attackers use fake Apple and Google update components to establish system persistence and maintain backdoor access.
• The malware specifically targets browser credentials, password managers like 1Password and Bitwarden, and crypto wallets including MetaMask.
• Technical analysis suggests the operators are likely Russian-speaking, as the malware automatically terminates if it detects systems located within the Commonwealth of Independent States.

Why it Matters

This campaign highlights the growing sophistication of macOS-targeted threats that leverage trusted software branding to bypass user suspicion. The ability to exfiltrate financial data and session tokens poses a significant security risk to both individual users and enterprise environments relying on cloud-based collaboration tools.